A critical zero-day vulnerability in Citrix products, CVE-2023-3519, has been actively exploited by hackers, putting thousands of companies, especially critical infrastructure organizations, at risk. Citrix issued a warning about the flaw, which affects NetScaler ADC and NetScaler Gateway devices, scoring a severity rating of 9.8 out of 10.
This zero-day allows remote, unauthenticated attackers to execute arbitrary code on the affected devices, and there is evidence that the vulnerability has been already exploited in the wild. Citrix acted swiftly by releasing security updates on July 18, urging users to install the patches immediately.
The U.S. cybersecurity agency, CISA, disclosed that the flaw was used in an attack against a critical infrastructure organization in June, with the incident reported to the agency in July. Hackers utilized the exploit to insert a webshell into the organization's NetScaler ADC appliance, permitting them to extract sensitive data from the Active Directory.
Although the targeted organization successfully thwarted the hackers, thousands of other organizations remain vulnerable. The Shadowserver Foundation, dedicated to enhancing internet security, discovered over 15,000 at-risk Citrix servers worldwide. The United States has the highest number of unpatched servers (5,700), followed by Germany (1,500), the U.K. (1,000), and Australia (582).
The identity of the hackers behind the exploitation remains unknown. In the past, financially motivated cybercriminals and state-sponsored actors, including groups linked to China, have targeted Citrix vulnerabilities. Mandiant researchers stated that the current intrusions are consistent with the tactics of China-based threat groups, suggesting an espionage-driven campaign. The attackers focus on technologies without endpoint detection and response solutions, such as firewalls, IoT devices, hypervisors, and VPNs.
As the situation develops, companies are urged to install the Citrix patches promptly to prevent potential breaches and data exfiltration. Almog Apirion, CEO and co-founder of Cyolo, highlights the difficulty of security and what organizations can do to safeguard OT environments:
"The critical aspects of OT systems make it so they must operate continuously without any downtime, as it directly impacts workers' safety and the business's operational performance overall. As old versions of products and sensitive information are managed in tandem, the difficulty of securing applications continues to be a major problem that only highlights the complexity of OT infrastructures today.
To effectively safeguard organizations' OT environments, modern strategies are necessary. These techniques include technologies like zero-trust access or high-risk identity access management solutions capable of securing both IT and OT environments. By adopting these measures, organizations can ensure the safety and security of their industrial operations."